---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: Role
metadata:
  name: ingress-nginx
  namespace: {{ ingress_nginx_namespace }}
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
rules:
  - apiGroups: [""]
    resources: ["configmaps", "pods", "secrets", "namespaces"]
    verbs: ["get"]
  - apiGroups: [""]
    resources: ["configmaps"]
    # Defaults to "<election-id>-<ingress-class>"
    # Here: "<ingress-controller-leader>-<nginx>"
    # This has to be adapted if you change either parameter
    # when launching the nginx-ingress-controller.
    resourceNames: ["ingress-controller-leader-nginx"]
    verbs: ["get", "update"]
  - apiGroups: [""]
    resources: ["configmaps"]
    verbs: ["create"]
  - apiGroups: [""]
    resources: ["endpoints"]
    verbs: ["get"]
  - apiGroups: ["policy"]
    resourceNames: ["ingress-nginx"]
    resources: ["podsecuritypolicies"]
    verbs: ["use"]
